[CN3014] CYBER SECURITY

OPEN ELECTIVE – I

M.Tech (CN&IS) II Year I sem.

Prof. A. Damodaram
School of Information Technology
JNTU-Hyderbad
1
 Cyberoffenses:
How criminals plan them

2
Unit 2: Learning Objectives
Understand different types of cyber attacks.
Get an overview of the steps involved in planning
cybercrime
Understand tools used for gathering information
about the target
Get an overview on social engineering
Learn about the role of cyber cafe in cybercrime
Understand what is cyber stalking
Learn about botnet and attack vector
Get an overview of cloud computing
3
 UNIT-II Syllabus
1. Introduction
2.categories of Cybercrime
3.How criminals plan the Attack
4.Social Engineering
5.Cyber stalking
6.Cybercafe and Cybercrimes
7.Botnet
8.Attack vector
9.Cloud Computing

4
2.1 Introduction
Cybercriminals use the World Wide Web and Internet
to an optimal level for an illegal activities.

These criminals take the advantage of the wide spread

lack of awareness about cybercrimes and cyber laws
among people who are constantly using the IT
infrastructure for official and personal purposes.

5
Few terminologies
Hacker: A hacker is a person with strong interest in
computers who enjoys learning and experimenting
with them.
Hackers are usually very talented, smart people who
understand computers better than the others.
Brute force Hacking: it is a technique used to find
passwords or encryption keys. It involves trying every
possible combination of letters, numbers, etc., until
the code is broken.

6
Few terminologies
Cracker: a cracker is a person who breaks into computers.
They are computer criminals.
Their act include vandalism, theft and snooping in
unauthorized areas.
Cracking: it is the act of breaking into computers.
Cracking is a popular, growing subject on the internet.
Many sites are devoted to supplying crackers with programs
that allow them to crack computers (like guessing passwords)
Cracker tools: these are programs that break into
computers. Like password crackers, Trojans, viruses, war
dialers and worms.
7
Few terminologies
Phreaking: this is notorious art of breaking into
phone or other communication systems.

War dialer: it is program that automatically dials

phone numbers looking for computers on the other
end. It catalogs numbers so that the hackers can call
back and try break in.

8
2.1.1Categories of Cybercrime
Target of the crime
Crimes targeted at individuals
Crimes targeted at property
Crimes targeted at organizations
Whether the crime occurs as a single event or as a
series of events.
Single event cybercrime: hacking or fraud
Series of events: cyberstalking

9
2.2 How criminals Plan
the Attacks
Phases involved in planning cybercrime:
1. Reconnaissance :
-information gathering , first phase, passive attack
2. Scanning and scrutinizing the gathered
information
- for validity of the information as well as to identify
the existing vulnerabilities
3. Launching an attack
- gaining and maintaining the system access

10
Types of attacks:
Active attack
 Used to alter system
 Affects the availability, integrity and authenticity of data
Passive attack
 Attempts to gain information about the target
 Leads to breaches of confidentiality
Inside attack
 Attack originating and/or attempted within the security perimeter
of an organization
 Gains access to more resources than expected.
Outside attack
 Is attempted by a source outside the security perimeter,
 May be an insider or an outsider , who is indirectly associated with
the organization
 Attempted through internet or remote access connection
11
2.2.1 Reconnaissance
A reconnaissance attack occurs when an adversary tries to
learn information about your network
Reconnaissance is the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Reconnaissance is also known as information gathering
Reconnaissance is somewhat analogous to a thief
investigating a neighborhood for vulnerable homes, such as
an unoccupied residence or a house with an easy-to-open
door or window. In many cases, intruders look for
vulnerable services that they can exploit later when less
likelihood that anyone is looking exists.
Is the preparatory phase to understand the system, its
networking ports and services and other aspects of security,
that are needful for launching the attack
12
An attacker attempts to gather information in two
phases
1. Passive attack
2. Active attacks

13
2.2.2 Passive attacks
 Involves gathering information about the target without his/ her
knowledge.
 Google or yahoo search: to locate information about employees
 Surfing online community group: facebook; to gain information
about an individual
 Organizations website: for personnel directory or information
about key employees; used in social engineering attack to reach
the target
 Blogs, newsgroups, press releases, etc
 Going through job postings
 Network sniffing: information on Internet Protocol address
ranges, hidden servers or networks or services on the system.//’
14
Tools used during passive attacks
Google earth
Internet Archive: permanent access for researchers ,
historians and scholars to historical collections
Professional community: linkedIn
People Search
Domain Name Confirmation
WHOIS
Nslookup
Dnsstuff

15
Tools used during passive attacks
Trace route
Visual Route Trace
eMail TrackerPro
HTTrack

16
2.2.3 Active Attacks
Rattling the doorknobs
Active reconnaissance
Involves probing the network to discover individual
hosts to confirm the information gathered in the
passive attack phase.
Can provide confirmation to an attacker about security
measures in place.

17
Tools used during active attacks
Hmap
Hping
Hunt
Netcat
Nmap
TCPdump
TCPreplay

18
Tools used during active attacks
Arphound
Arping
Bing
Bugtraq
Dig
DNStacer
Dsniff
Filesnarf
FindSMB

19
2.2.4 Scanning and Scrutinizing gathered
information
Is a key step to examine intelligently while gathering
information about the target.
The objectives are:
1. Port scanning
2. Network scanning
3. Vulnerability scanning

20
What is Port Scanning?
The act of systematically scanning a computer's ports.
 Since a port is a place where information goes into and out of a
computer, port scanning identifies open doors to a computer.
It is similar to a thief going through your neighborhood and
checking every door and window on each house to see which
ones are open and which ones are locked.
There is no way to stop someone from port scanning your
computer while you are on the Internet because accessing an
Internet server opens a port, which opens a door to your
computer.
 There are, however, software products that can stop a port
scanner from doing any damage to your system.
21
What is Port Scanning?
TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol) are two of the protocols that make up the
TCP/IP protocol suite which is used universally to
communicate on the Internet.
Each of these has ports 0 through 65535 available so essentially
there are more than 65,000 doors to lock.
The first 1024 TCP ports are called the Well-Known Ports and
are associated with standard services such as FTP, HTTP, SMTP
or DNS.
Some of the addresses over 1023 also have commonly associated
services, but the majority of these ports are not associated with
any service and are available for a program or application
22
Port scan
a port scan consists of sending a message to each port,
one at a time. The kind of response received indicates
whether the port is used and can therefore be probed
for weakness.
The result of a scan on a port is usually generalised
into one of the following categories:
1. Open or accepted
2. Closed or not listening
3. Filtered or blocked.

23
Types of port scans:
vanilla: the scanner attempts to connect to all 65,535 ports
strobe: a more focused scan looking only for known services to
exploit
fragmented packets: the scanner sends packet fragments that
get through simple packet filters in a firewall
UDP: the scanner looks for open UDP ports
sweep: the scanner connects to the same port on more than one
machine
FTP bounce: the scanner goes through an FTP server in order to
disguise the source of the scan
stealth scan: the scanner blocks the scanned computer from
recording the port scan activities.
24
Scrutinizing phase
Called as “enumeration” in the hacking world
The objective behind this step is to identify:
1. The valid user accounts or groups
2. Network resources and/or shared resources
3. OS and different applications that are running on the
OS.

25
2.2.5 Attack (Gaining and Maintaining the
System Access)
After scanning and scrutinizing, the attack is
launched using the following steps:
1. Crack the password
2. Exploit the privileges
3. Execute the malicious command/ applications
4. Hide the files
5. Cover the track – delete access logs, so that there is
no trail illicit activity.

26
2.3 Social Engineering
Technique to influence and persuasion to deceive
people to obtain the information or perform some
action.
A social engineer usually uses telecommunications or
internet to get them to do something that is against the
security practices and/ or policies of the organization.
SE involves gaining sensitive information or
unauthorized access privileges by building
inappropriate trust relationships with insiders.
It is an art of exploiting the trust of people.

27
Social Engineering
 Social engineering is a non-technical method of intrusion
hackers use that relies heavily on human interaction and often
involves tricking people into breaking normal security
procedures.
 A social engineer runs what used to be called a "con game."
 or example, a person using social engineering to break into a
computer network might try to gain the confidence of an
authorized user and get them to reveal information that
compromises the network's security.
 Social engineers often rely on the natural helpfulness of people
as well as on their weaknesses.
 They might, for example, call the authorized employee with
some kind of urgent problem that requires immediate network
access. Appealing to vanity, appealing to authority, appealing to
greed, and old-fashioned eavesdropping are other typical social
engineering techniques. 28
2.3.1 Classification of Social Engineering
1. Human-Based Social Engineering
needs interaction with humans; it means person-to-person contact and
then retrieving the desired information. People use human based social
engineering techniques in different ways; the top popular methods are:
 Impersonating an employee or valid user
 Posing as an important user
 Using a third person
 Calling technical support
 Shoulder surfing
 Dumpster diving

2. Computer –Based Social Engineering

Computer-based social engineering uses computer software that
attempts to retrieve the desired information.
 Fake E-mails
 E-mail attachments
 Pop-up windows

29
Impersonation
In this type of social-engineering attack, the hacker pretends
to be an employee or valid user on the system. A hacker can
gain physical access by pretending to be a janitor, employee,
or contractor.
To attackers, sets of valid credentials are a coveted asset. An
attacker who has obtained valid user credentials through
social engineering techniques has the ability to roam the
network with impunity searching for valuable data. In log
data, the attacker’s activities are easily hidden due to the
inability to see the subtle differences in behaviors and access
characteristics. Yet, this phase of the classic attack chain
often represents the lengthiest portion of the attack.
30
Posing as an important user
—In this type of attack, the hacker pretends to be a
VIP or high-level manager who has the authority to
use computer systems or files.
Most of the time, low-level employees don’t ask any
questions of someone who appears in this position.

31
Being a third party
In this attack, the hacker pretends to have permission
from an authorized person to use the computer
system. It works when the authorized person is
unavailable for some time.

32
Desktop support
—Calling tech support for assistance is a classic social-
engineering technique.
Help desk and technical support personnel are trained
to help users, which makes them good prey for social
engineering attacks.

33
Shoulder surfing
Shoulder surfing—Shoulder surfing is the technique
of gathering passwords by watching over a person’s
shoulder while they log in to the system.
A hacker can watch a valid user log in and then use
that password to gain access to the system.

34
Dumpster diving
—Dumpster diving involves looking in the trash for
information written on pieces of paper or computer
printouts.
The hacker can often find passwords, filenames, or
other pieces of confidential information like SSN,
PAN, Credit card ID numbers etc
Also called dumpstering, binning, trashing, garbaging
or garbage gleaning.
scavenging

35
 Fake E-mails
—Phishing involves false emails, chats, or websites
designed to impersonate real systems with the goal of
capturing sensitive data.
 A message might come from a bank or other well-known
institution with the need to “verify” your login information.
It will usually be a mocked-up login page with all the right
logos to look legitimate.
The term was coined in 1996 by hackers who were stealing
AOL Internet accounts by scamming passwords without the
knowledge of AOL users.
They replaced “f” by “ph”

36
Baiting:
—Baiting involves dangling something you want to
entice you to take an action the criminal desires.
 It can be in the form of a music or movie download on
a peer-to-peer site or it can be a USB flash drive with a
company logo labeled “Executive Salary Summary Q1
2013″ left out in the open for you to find.
 Then, once the device is used or downloaded, the
person or company’s computer is infected with
malicious software allowing the criminal to advance
into your system.

37
E-Mail attachments
—Emails sent by scammers may have attachments
that include malicious code inside the attachment.
Those attachments can include keyloggers to capture
users’ passwords, viruses, Trojans, or worms.

38
Pop-up windows
Sometimes pop-up windows can also be used in social
engineering attacks.
Pop-up windows that advertise special offers may
tempt users to unintentionally install malicious
software.

39
40
2.4 Cyberstalking
Cyberstalking is the use of the Internet or other
electronic means to stalk or harass an individual, a
group, or an organization.
It may include false accusations, defamation, slander
and libel.
 It may also include monitoring, identity theft, threats,
vandalism, or gathering information that may be used
to threaten or harass.
Cyberstalking is sometimes referred to as Internet
stalking, e-stalking or online stalking.
41
Cyberstalking
Cyberstalking is a crime in which the attacker harasses
a victim using electronic communication, such as e-
mail or instant messaging (IM), or messages posted to
a Web site or a discussion group.
A cyberstalker relies upon the anonymity afforded by
the Internet to allow them to stalk their victim without
being detected.
Cyberstalking messages differ from ordinary spam in
that a cyberstalker targets a specific victim with often
threatening messages, while the spammer targets a
multitude of recipients with simply annoying
messages.
42
2.4.1 Types of Stalkers
online Stalkers
offline stalkers.
Both are criminal offenses.
Both are motivated by a desire to control, intimidate
or influence a victim.
A stalker may be an online stranger or a person whom
the target knows. He may be anonymous and solicit
involvement of other people online who do not even
know the target.

43
2.4.2 How stalking works?
1. Personal information gathering about the victim.
2. Establish a contact with the victim through telephone/ cell phone.
– start threatening or harassing
3. Establish a contact with the victim through E-mail.
4. Keep sending repeated E-mails asking for various kinds of favors or
threaten the victim.
5. Post victim’s personal information on any website related to illicit
services.
6. Whosoever comes across the information, start calling the victim
on the given contact details, asking for sexual services.
7. Some stalkers may subscribe/ register E-Mail account of the victim
to innumerable pornographic and sex sites, bez of which victim
start receiving such kind of unsolicited E-Mails
44
2.5 Cybercafe and Cybercrimes
An Internet café or cybercafé is a place which
provides Internet access to the public, usually for a fee.
According to Nielsen Survey on the profile of
cybercafes users in India:
1. 37% of the total population use cybercafes
2. 90% of this were males in age group 15-35 years
3. 52% graduates and post graduates
4. > 50% were students
Hence, it is extremely important to understand the IT
security and governance practiced in the cybercafes.
45
Role of Cybercafe
used for either real or false terrorist communication.
 for stealing bank passwords, fraudulent withdrawal of
money
Keyloggers or spywares
Shoulder surfing
For sending obscene mails to harass people.
They are not network service providers according to
ITA2000
They are responsible for “due deligence”

46
2.6 Botnets: The fuel for Cybercrime
 Bot: “ an automated program for doing some particular task, often
over a network”
 A botnet (also known as a zombie army) is a number of Internet
computers that, although their owners are unaware of it, have been
set up to forward transmissions (including spam or viruses) to other
computers on the Internet.
 Any such computer is referred to as a zombie - in effect, a computer
"robot" or "bot" that serves the wishes of some master spam or virus
originator.
 Most computers compromised in this way are home-based.
 According to a report from Russian-based Kaspersky Labs, botnets
-- not spam, viruses, or worms -- currently pose the biggest threat
to the Internet
47
 Botnet used for gainful purposes
Botnet creation

Botnet renting Botnet Selling

DDoS attacks
Malware and spamdexing Phishing
Adware installation attacks
Spam attacks Stealing
confidential
information

Selling Credit card Selling internet

and bank account Selling personal services and shops
details identity information account
48
Ways to secure the system
Use antivirus and anti-spyware
Install updates
Use firewall
Disconnect internet when not in use
Don’t trust free downloads
Check regularly inbox and sent items
Take immediate action if system is infected

49
50
2.7 Attack vector
An attack vector is a path or means by which a hacker
(or cracker) can gain access to a computer or network
server in order to deliver a payload or malicious
outcome.
Attack vectors enable hackers to exploit system
vulnerabilities, including the human element.
Attack vectors include viruses, e-mail attachments,
Web pages, pop-up windows, instant messages, chat
rooms, and deception. All of these methods involve
programming (or, in a few cases, hardware), except
deception, in which a human operator is fooled into
removing or weakening system defenses.
51
To some extent, firewalls and anti-virus software can
block attack vectors.
But no protection method is totally attack-proof.
A defense method that is effective today may not
remain so for long, because hackers are constantly
updating attack vectors, and seeking new ones, in
their quest to gain unauthorized access to computers
and servers.

52
If vulnerabilities are the entry points, then attack
vectors are the ways attackers can launch their assaults
or try to infiltrate the building.
In the broadest sense, the purpose of the attack
vectors is to implant a piece of code that makes use of
a vulnerability. This code is called the payload, and
attack vectors vary in how a payload is implanted.
The most common malicious payloads are viruses
(which can function as their own attack vectors),
Trojan horses, worms, and spyware.
If an attack vector is thought of as a guided missile, its
payload can be compared to the warhead in the tip of
the missile.

53
Different ways to launch Attack Vectors:
Attack b y E-Mail
Attachments
Attack b y deception: social engineering/ haoxes
Hackers
Heedless guests (attack by webpage)
Attack of the worms
Malicious macros
Foistware/ sneakware
viruses

54
A zero-day attack
A zero-day (or zero-hour or day zero) attack or threat is an
attack that exploits a previously unknown vulnerability in a
computer application or operating system, one that developers
have not had time to address and patch.
Software vulnerabilities may be discovered by hackers, by
security companies or researchers, by the software vendors
themselves, or by users.
If discovered by hackers, an exploit will be kept secret for as
long as possible and will circulate only through the ranks of
hackers, until software or security companies become aware of
it or of the attacks targeting it.
ZERT
55
2.8 Cloud Computing
The growing popularity of cloud computing and
virtualization among organizations have made it
possible the next target of cybercriminals.
Cloud computing is Internet (“Cloud”)-based
development and use of computer technology.
Cloud computing is a term used for hosted services
over the Internet.

56
2.8.1 why Cloud computing?
The cloud computing has following advantages :
Applications and data can be accessed from any where
at any time. Data may not be held on a hard drive on
one user’s computer.
It could bring hardware costs down. One would need
the Internet connection.
Organizations do not have to buy a set of software or
software licences.
do not have to rent a physical space to store servers and
databases.
57
2.8.2 Types of Services
Infrastructure –as –a-service(IaaS): It is like Amazon
Web Services that provide virtual servers with
unique IP addresses and blocks of storage on
demand.
Platform-as-a-service(PaaS): It is a set of software and
development tools hosted on the provider’s servers.
Software-as-a –service(SaaS): It is the broadest market
the provider allows the customer only to use its
applications.

58
2.8.3 Cybercrime and Cloud Computing
Cloud security is the future of cybersecurity
 Prime area of the risk in cloud computing is
protection of user data.
 Risk associated with cloud computing environment are :

59
 Risk
Any data processed outside the
organization brings with it an
inherent level of risk.
Cloud computing service
providers are not able and/or
not willing to undergo external
assessments.
The organizations that are
obtaining cloud computing
services may not be aware
about where the data is hosted
and may not even know in
which country it is hosted.
How to Remediate the Risk?
Customer should obtain as
much information as he/she can
about the service provider.
The organization is entirely
responsible for the security and
integrity of their own data,
even when it is held by a
service provider.
Organization should ensure that
the service provider is
committed to obey local privacy
requirements on behalf of the
organization to store and
process the data in the specific
jurisdictions.
60
As the data will be stored
under stored environment,
encryption mechanism
should be strong enough to
segregate (separate) the
data from another
organization, whose data
are also stored under the
same server.
Business continuity in case
of any disaster.
Organization should be
aware of the arrangements
made by the service
provider about segregation
of the data. The service
provider should display
encryption schemes.
Service provider have to
provide complete
restoration of data within
minimum timeframe.
61
Due to complex IT Organization should
environment and several enforce the provider to
customer logging in and provide security violation
logging out of the hosts, it logs at frequent intervals.
becomes difficult to trace
inappropriate and illegal
activity.
In case of any major Organization should ensure
change in the cloud getting their data in case of
computing service provider, such major event.
the service provided is at
the stake.

62